#
# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

def $SERVER_TCP_PORTS = (<%= ferm_server_tcp_ports %>);

table filter {
    chain INPUT {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;

        # allow local packages
        interface lo ACCEPT;

        # respond to ping, but limit that
        proto icmp ACCEPT;

        # allow IPsec
        proto udp dport 500 ACCEPT;
        proto (esp ah) ACCEPT;

        # allow the defined tcp connections
        #proto tcp dport ssh ACCEPT;
				proto tcp dport $SERVER_TCP_PORTS ACCEPT;

				# if you want use munin - add this policy here and customize your ip addresses
				# saddr (123.456.789.101 123.456.789.101 123.456.789.101 123.456.789.101) proto tcp dport 4949 ACCEPT;
    }
    chain OUTPUT {
        policy ACCEPT;

        # connection tracking
        #mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
    chain FORWARD {
        policy DROP;

        # connection tracking
        mod state state INVALID DROP;
        mod state state (ESTABLISHED RELATED) ACCEPT;
    }
}

# Drop policy for ipv6
# IPv6:
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
	    interface lo ACCEPT;
        }
    }
}